The Software Engineering Institute is a Federally Funded Research and Development Center (FFRDC), similar to places like Los Alamos, Sandia, or Lincoln Labs. So yes, they certainly receive funding from the government, and that probably includes funding from the FBI.

It sounds like what they are saying is that they were doing general research on Tor as part of their normal research activities. Funding for this, like all other research they do as an FFRDC, comes from the federal government in some form. So yes, indirectly I'm sure the government paid for the research, but that does not seem shocking.

All in all, it's hard to understand what all the fuss is about for this, it seems pretty much in line with the goals of an FFRDC to do this type of research.

Posted
by
samzenpus
on Wednesday April 29, 2015 @11:36PM
from the company-store dept.

Lasrick writes: Nick Gillard from Project Alpha points out that for more than 3 decades, Iran has purchased goods for its nuclear program largely from the shadows. With the Framework Agreement, that will almost certainly change: "According to the US State Department, one of the agreement's provisions creates a dedicated procurement channel for Iran's nuclear program. This channel will monitor and approve, on a case-by-case basis, the supply, sale, or transfer to Iran of certain nuclear-related and dual-use materials and technology." That is terrific news for US companies, because Iran is known to covet US-made parts required for their program, most of which are "dual-use."

You're assuming the machine simply goes "ping". It will actually return data that would be post processed and then show characteristics of gravitational waves.

In some (very loose) sense it's like the search for the Higgs Boson. We don't have a machine that says "yeah I saw a Higgs Boson, turning off now!". It returns a bunch of data that gets analyzed and might show characteristics we expect.

In order to know it is working, we would compare the data it finds to mathematical models of what a black hole merger or something would look like.

If other people are attacking you, should you lay down all your weapons and hope they do the same?

Are people attacking Exodus via TOR? If not, then what ethical justification does it have for involving itself as the NSA's mercenary?

I'm all for self-defense; it's aiding aggression that I find unethical.

I don't think it matters whether we take Exodus or the US Government. I'm not really sure why being a mercenary is so bad? What is the difference if the US Government pays Exodus or hires the people working for Exodus to write exploits directly?
And yes, people are using Tor to fight against the US; certainly hackers and terrorists use Tor. (I don't believe more than a small fraction of Tor users are malicious, but malicious users undoubtedly exist.

Clearly, I'm failing to understand -- what is there about your hypothetical situation that precludes responsible disclosure?

Also, responsible disclosure is sort of tautologically ethical because it does consider context (that's what the "responsible" part means). If you're not sure what kind of disclosure is responsible, then the only ethical option would be to forgo the hacking.

If you have responsibly disclosed every exploit you know about, you are not going to be able to hack into the computer which triggers the bomb. I'm not sure why this isn't obvious. Unless somehow your "responsible disclosure" allows for holding on to exploits until you need them for dire situations, you have no way to stop such a computerized device.

Let's be more concrete here: someone has hooked up a Raspberry Pi to detonate a bomb, which is triggered, say, over Tor. Whoever made this wasn't stupid: it has a heartbeat which will detonate the bomb if it fails, so you can't just jam it or cut off internet access. It has normal motion sensors, etc. You have 1 hour to disable it.
I propose that given the possibility of such a scenario (or scenarios like this; obviously this is an extreme and contrived example to try to prove a point), it is ethical to withhold disclosure of vulnerabilities. In your proposed scenario, the government has "emptied its cyber arsenal". It has nothing it can do to prevent such an attack. I believe it is superior to have the capability to prevent such an attack.

Being forced to choose the lesser of two evils doesn't mean you should become the active accomplice of that evil.

Besides, on a more practical note, you're also failing to consider the rest of the collateral damage. By supporting Exodus's position, you're saying that hypothetically saving the lives of the Iranian scientists is worth hypothetically risking the lives of TOR users worldwide.

Except it isn't that simple.. one side has to win. If the US Government doesn't have people writing exploits, they are losing tools that help them to fight $ENEMY.

It's like saying we shouldn't have fought in Wold War II against Hitler, because war is bad. The Allied forces were the "lesser of two evils"--evil, of course, because war is unethical just like hacking is. Why choose to actively help the lesser of two evils? We should have remained neutral.
We can ignore any historical facts for the sake of hypothetical arguments and say Hitler would have succeeded with 100% certainty without US support.
In this sort of scenario are you trying to say that the ethical thing to do is nothing? It really sounds like we have some huge differences of opinion in all of this, so this probably isn't going anywhere.

Ugh, maybe on this computer my replies will show up with my user account (I don't mind a bit of bad karma every now and then, and I think it is hard to have an actual discussion with an AC post). Anyway..

Didn't your parents ever ask you rhetorical questions like "if your friends all jumped off a bridge, does that mean you should do it too?" or tell you "the ends do not justify the means" when you were a kid?

I think this is more akin to "an eye for an eye makes the whole world blind". But obviously, just because something is a catchy statement, that doesn't mean it's good advice.
If other people are attacking you, should you lay down all your weapons and hope they do the same? Maybe, but it's not a cut and dry situation like you make it out to be. I agree that in an ideal world, no one would exploit anyone, and all of our software would be bug free. But it seems naive to base our actions off of that world view when it is not the case. Is fighting and war bad? Yes. But I don't think a Ghandi approach will work in all situations, and sometimes fighting back is necessary. (That doesn't mean all cases, of course.)

Hacking without responsible disclosure is always unethical, and what others choose to do is irrelevant.

I think this is an incredibly bold statement. I think it's a bit hard to judge the ethics of exploiting a computer "in a vacuum", the context certainly matters. Let's take a hypothetical situation: if a computer was used as the trigger for a bomb which was going to go off and kill 100 people, would it not be ethical to hack in to the computer and disable it? [we can assume it also has all the fancy triggering mechanisms in place.. capacitive sensing in case someone gets too close, tilt/shock sensors in case something tries to move it, etc]
I find that belief absurd. And while I'm sure that wasn't the situation you envisioned when you made that claim, I think it's important to note there are cetainly extreme cases where hacking into a computer is clearly ethical.
If we're able to agree that sometimes computer hacking is ethical, then it just becomes a question of where the line is drawn. How much personal information needs to be on the computer about to detonate a bomb before you decide it isn't The Right Thing To Do to hack in? I am sure there are cases where the government is happy to hack into something that I think is ethically dubious, but again, I think it is absurd to say it is never ethical.

The other thing is you have to consider that "cyber weapons" mean governments can gain intelligence or affect systems without hurting people. Stuxnet is an interesting example. How many lives would have been lost if instead someone bombed the Iranian nuclear facility, or killed off Iranian scientists (yes, I know this still happens anyway, sadly)? Stuxnet was a virus that infected the public's computers as well.
Based on our discussion so far I would expect you to say something like "well sure, maybe it's better than bombing, but having neither would be even better". That's a totally understandable stance, but again, that isn't the world we live in. I think it's a step in the right direction to at least try to minimize deaths.

Anyway, it doesn't sound like we're going to come to an agreement on anything, and that's fine. I definitely understand how hacking can be a moral grey area, and not everyone has to agree. However, I just hope people will accept that it is at least a moral grey area, rather than a moral black area.

The TEDxAustin talk you mentioned is focused on GPS spoofing to make a receiver think that it is somewhere else. Spoofing in that sense has been around for a long time, and while it is very cool and everything, it isn't what is novel about this paper/attack.
This paper goes from just making a GPS receiver think it is located somewhere else to actually exploiting software vulnerabilities in GPS receivers to cause them to crash and things like that. The attacks are related, but the position based spoofing is just a subset of this work.

I don't think you looked at the paper really. GPS spoofing and jamming are nothing new (as is mentioned in the paper). The new aspect is that there are software attacks that can be done on the receivers.
For example, one of the divide by zero errors will cause a denial of service attack on some receivers. This is vastly different from jamming, because the DoS continues even after the transmitter is shut off. Jamming would obviously stop as soon as the transmitter is turned off. That is the new, exciting, and dangerous part of all this.

Posted
by
timothy
on Thursday May 10, 2012 @12:47PM
from the even-your-keyboard dept.

surewouldoutlaw writes "Remember that scene in Fantasia where Mickey turns all the brooms into an army of workers? Well, Disney isn't quite there, yet. But scientists with the company's research lab at Carnegie Mellon University in Pittsburgh have been able to turn virtually any surface, including liquid water and the human body, into a multi-touch interface. The new system is called Touché, and it is as awesome as it sounds."

How do you deal with noise for something this sensitive? If you're trying to measure the sound of a bacterium, and someone coughs, or walks by the room, or a truck drives by, how do you cancel that out?

I guess I just don't see how their SNR can be high enough with something that sensitive.

Although 12 million is certainly a large number, the US has many more travelers than that. In 2009, Atlanta's airport had something like 90M travelers use the airport. That means that one airport has more traffic than all of the airports combined in Israel.

I agree that their airport security model is superior, and maybe it can scale to large airports in the USA, but if we have dozens of airports with more traffic than their busiest airport, scaling is very far from a simple task.

What does the article mean by e-ink like power consumption? I can't tell if this technology requires power to remain in a given state, or whether it can be static like e-ink. Although the low power consumption of e-ink displays is largely due to their lack of a backlight, being able to display static content with 0 power consumption is really one of the coolest parts about e-ink tech.

I read the article but it didn't seem to answer this, do any readers know? If it could display static content for free then that would be incredibly awesome.